Here’s How Police Departments Use Mac Tools For Computer Forensics

If you’ve ever taken apart an Apple device, you know what delicate work it can be.

Imagine trying to extract incriminating child pornography photos from a laptop and you’ll understand why tools that help you see what’s on the device before opening it up are increasingly important in law enforcement.

Thanks to grants from the National Institute of Justice, ATC-NY is offering free training to law enforcement departments for its tools P2P Marshal, which detects, extracts and analyzes P2P evidence on hard drives and Mac Marshal, which analyzes Mac OS X file system images. These proprietary tools are also offered free to law enforcement departments; further training sessions are available in 2012.

Cult of Mac talked to Thomas Finch, a detective at the police department in Middletown, Delaware, who hosted a Mac Marshal training session, about how these tools save time and money — and why the latest Android smartphone might be a better choice for criminals.

Cult of Mac: Law enforcement has traditionally been PC, is that changing?

Thomas Finch: Mac is picking up speed in law enforcement, for sure. Forensics is just like any other discipline inside IT, it’s becoming extremely specialized. With the popularity of the iPad and the iPhone, the need for better tools is creating a niche market for forensic tools in law enforcement.

CoM: What’s your department set up like?

TF: We started a forensic unit in 2009. Delaware’s a small state, there were only seven or eight examiners in the whole state at the time. In 2010, I took Mac Marshal training, and because of the capabilities the tool offers, I began pushing the department to make basic forensic skills – cell phone and previewing skills – for Mac and PC available to our officers.

We own a few Macs…I personally use a MacBook Pro for forensics, because with the Intel processor it’s dual boot and does double-duty between Windows and Mac. Some tools require Mac OSX to run and from others you can process from Windows. Using the MacBook Pro, you get the best of both worlds.

CoM: Tell me about Mac Marshal.

TF: It’s a tool that allows you to examine another Mac that’s in target disk mode without writing to that machine and it lets you preview what’s on that machine…

CoM: What kind of cases do you use it for?

TF: A lot of sex crimes. It allows me to preview for pics quicker than disassembling a machine, pulling the hard drive out and then using a true forensic tool to find out what’s there.

I use it for triage for photos. A lot of times, especially with child porn, you’re looking for pictures or videos. I’ve also used it for drug cases, theft cases and even some unauthorized-use-of-computer cases, where the Mac was connected to a network. In the end, it doesn’t matter what kind of case it is, it’s more about what kind of information I’m looking for.

CoM: What can’t you see from this “triage?”

TF: You can’t see file slacks or deleted data with it, so unless the data has been overwritten or deleted, you can pretty much see what you need to see without breaking it down.

You still have the option to do a full-blown forensics examination later on.

CoM: So, in the child porn case example, how would it help?

TF: You may need the triage to see how many videos are on there to decide the initial charges. Then you can go back and do a full examination later, as the case heads to trial. But if you’re looking for probable cause and you want to exclude or include that as evidence and you’re looking for something specific, it’s really good for that.

CoM: What’s the training like?

TF: It’s eight hours of initial training, although most people come with some background in forensics. I had hundreds of hours of training before that. As with any kind of training, money is a factor, this training is free so it’s worth eight hours of looking at the tool and then being able to use it. About half of the people there were federal agents, half were traditional law enforcement.

With forensics becoming very specialized, you need multiple tools to accomplish your goals…

CoM: What are some of those other tools?

TF: I use iOS tools, including Lantern and Cellebrite, which supports about 8,000 cell phones…Those are probably the two biggest other products that I use for iPads, iPhones and iPods…The lab has forensic machines – ours are from Digital Intelligence…We also use EnCase software from Guidance and the Access Data toolkit…

CoM: It sounds like there are a lot different companies offering proprietary products?

TF: It’s becoming more specialized, especially with Mac. There are some open source tools that are helpful but a lot of them are proprietary…

CoM: Are there tools you wish you had that don’t exist yet?

TF: With Mac and iOs, it’s more about keeping up with new products, like the new iPad or iPhone 4s and the chipset changes…With iOs 5.0, there were some changes that caused developers to go back make changes to their programs, so there’s a lag.

It’s more an issue with cell phones — new ones are being released all the time and it’s tough to keep up, mostly because we don’t have the tools…

CoM: So, if you want to commit the perfect crime you should get the very latest Android phone?

TF: Not so much perfect, but it might buy you time. If you use one of those phones and keep everything in the cloud, it will be more difficult. You’ll leave a footprint somewhere, it’s just a matter of us finding it…

About the author:

Nicole Martinelli is a San Francisco freelance writer who heads up Cult of Mac Magazine, our weekly publication available on iTunes. You can find her on Twitter and Google+. If you're doing something new, cool and Apple-related, email her.

Ross McManus

Awesome, I studied Foresnic Computing at Uni and everything was done on PC’s using tools such as FTK (Forensic Toolkit), Sleuth Kit & Autopsy (Open Source)

Len Williams

Of the 9 laptops in the photo, it appears that only 2 are Macs. Still, it’s good to see Macs weaving their way into police work. After all, some criminals use Macs (but only the most discerning ones, or those that have stolen one).

Dave Melvin

In order to do an effective computer forensics examination on a Mac, you need to use a Mac to do it. Windows tools do not understand how the Mac saves metadata and other information for each file. If you use only a Windows based forensic suite, you will be missing data. The nice thing about using a Mac for forensics, it basically comes out of the box ready to go. Add a few free and lost cost tools and you are ready to examine another Mac. The best training IMHO out there for Mac Forensics is Sumuri.com & BlackBagTech.com. both offer basic to advanced classes. Inside the Core is a Mac Forensics podcast that may be of interest.